Just read it - very interesting! Is the bottom line essentially don't do DNS+TLS-1.3+0-RTT? Basically, since 1-RTT isn't a big performance problem, why take the risk of 0-RTT?
JL On 7/6/19, 12:50 PM, "dns-privacy on behalf of Alessandro Ghedini" <[email protected] on behalf of [email protected]> wrote: Hello, On Sat, Jul 06, 2019 at 09:19:41AM -0700, [email protected] wrote: > A new version of I-D, draft-ghedini-dprive-early-data-01.txt > has been successfully submitted by Alessandro Ghedini and posted to the > IETF repository. > > Name: draft-ghedini-dprive-early-data > Revision: 01 > Title: Using Early Data in DNS over TLS > Document date: 2019-07-06 > Group: Individual Submission > Pages: 5 > URL: https://www.ietf.org/internet-drafts/draft-ghedini-dprive-early-data-01.txt > Status: https://datatracker.ietf.org/doc/draft-ghedini-dprive-early-data/ > Htmlized: https://tools.ietf.org/html/draft-ghedini-dprive-early-data-01 > Htmlized: https://datatracker.ietf.org/doc/html/draft-ghedini-dprive-early-data > Diff: https://www.ietf.org/rfcdiff?url2=draft-ghedini-dprive-early-data-01 > > Abstract: > This document illustrates the risks of using TLS 1.3 early data with > DNS over TLS, and specifies behaviors that can be adopted by clients > and servers to reduce those risks. I've been looking for information about using TLS 1.3 0-RTT with DoT, but all I could find was a discussion from over a year ago on the mailing list: https://mailarchive.ietf.org/arch/msg/dns-privacy/LKZeOAj7Y4fC-9hRcbX_4KVWu0Y So I wrote this document to try and document potential risks as well as capture requirements for DoT implementations deciding to add support for 0-RTT (RFC8446 in Appendix E.5 says that "Application protocols MUST NOT use 0-RTT data without a profile that defines its use). Most of the wording comes from RFC8470 and some content from the mailing list discussion mentioned above, though there are still some things that need to be filled in or expanded. In this new revision I expanded some of the sections as well as included some editorial fixes. The draft is maintained on GitHub at: https://github.com/ghedo/draft-ghedini-dprive-early-data Would be interested to know what people think about this. Cheers _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy _______________________________________________ dns-privacy mailing list [email protected] https://www.ietf.org/mailman/listinfo/dns-privacy
